kusalk commented on code in PR #664: URL: https://github.com/apache/struts/pull/664#discussion_r1122577982
########## core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java: ########## @@ -197,51 +208,61 @@ protected boolean checkEnumAccess(Object target, Member member) { return false; } - protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) { - if (targetPackage == null || memberPackage == null) { - LOG.warn("The use of the default (unnamed) package is discouraged!"); + protected boolean isPackageExcluded(Class<?> targetClass, Class<?> memberClass) { + if (targetClass == null || memberClass == null) { + throw new IllegalArgumentException( + "Parameters should never be null - if member is static, targetClass should be the same as memberClass."); } - String targetPackageName = targetPackage == null ? "" : targetPackage.getName(); - String memberPackageName = memberPackage == null ? "" : memberPackage.getName(); + Set<Class<?>> classesToCheck = new HashSet<>(); + classesToCheck.add(targetClass); + classesToCheck.add(memberClass); - for (Pattern pattern : excludedPackageNamePatterns) { - if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) { + for (Class<?> clazz : classesToCheck) { + if (!isExcludedPackageExempt(clazz) && (isExcludedPackageNamePatterns(clazz) || isExcludedPackageNames(clazz))) { return true; } } + return false; + } - targetPackageName = targetPackageName + "."; - memberPackageName = memberPackageName + "."; + protected String toPackageName(Class<?> clazz) { + if (clazz.getPackage() == null) { + return ""; + } else { + return clazz.getPackage().getName(); + } + } - for (String packageName : excludedPackageNames) { - if (targetPackageName.startsWith(packageName) || memberPackageName.startsWith(packageName)) { + protected boolean isExcludedPackageNamePatterns(Class<?> clazz) { + String packageName = toPackageName(clazz); + for (Pattern pattern : excludedPackageNamePatterns) { + if (pattern.matcher(packageName).matches()) { return true; } } - return false; } - protected boolean isClassExcluded(Class<?> clazz) { - if (clazz == Object.class || (clazz == Class.class && !allowStaticFieldAccess)) { - return true; - } - for (Class<?> excludedClass : excludedClasses) { - if (clazz.isAssignableFrom(excludedClass)) { + protected boolean isExcludedPackageNames(Class<?> clazz) { + String suffixedPackageName = toPackageName(clazz) + "."; + for (String excludedPackageName : excludedPackageNames) { + if (suffixedPackageName.startsWith(excludedPackageName)) { return true; } } return false; } - protected boolean isClassExcludedPackageExempt(Class<?> clazz) { - for (Class<?> excludedPackageExemptClass : excludedPackageExemptClasses) { - if (clazz.isAssignableFrom(excludedPackageExemptClass)) { - return true; - } + protected boolean isClassExcluded(Class<?> clazz) { + if (clazz == Object.class || (clazz == Class.class && !allowStaticFieldAccess)) { + return true; } - return false; + return excludedClasses.stream().anyMatch(clazz::isAssignableFrom); + } + + protected boolean isExcludedPackageExempt(Class<?> clazz) { + return excludedPackageExemptClasses.stream().anyMatch(clazz::equals); Review Comment: Do not exempt superclasses (use #equals instead of #isAssignableFrom) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@struts.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org